How to generate your own self-signed certificate, and How to install a certificate to use with your secure server.
The mod_ssl configuration file is located at /etc/httpd/conf.d/ssl.conf. For this file to be loaded, and hence for mod_ssl to work, you must have the statement Include conf.d/*.conf in /etc/httpd/conf/httpd.conf. This statement is included by default in the default Apache HTTP Server configuration file.
Creating a Self-Signed Certificate
You can create your own self-signed certificate. Note that a self-signed certificate does not provide the security guarantees of a CA-signed certificate.To make your own self-signed certificate, first create a random key using the instructions provided in Section 27.6 Generating a Key. Once you have a key, make sure you are in the /usr/share/ssl/certs directory, and type the following command:
Step1 :- make testcert
The following output is shown, and you are prompted for your passphrase (unless you generated a key without a passphrase):
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:
After you enter your passphrase (or without a prompt if you created a key without a passphrase), you are asked for more information. The computer's output and a set of inputs looks like the following (provide the correct information for your organization and host):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:India
State or Province Name (full name) [Berkshire]:Hyd
Locality Name (eg, city) [Newbury]:Cloud Network
Organization Name (eg, company) [My Company Ltd]:My Company, Inc.
Organizational Unit Name (eg, section) []:IT Networking
Common Name (your name or server's hostname) []:myhost.example.com
Email Address []:myemail@example.com
After you provide the correct information, a self-signed certificate is created in /etc/httpd/conf/ssl.crt/server.crt. Restart the secure server after generating the certificate with following the command:
Step2 :- /sbin/service httpd restart
Generating a Certificate Request to Send to a CA
Once you have created a key, the next step is to generate a certificate request which you need to send to the CA of your choice. Make sure you are in the /usr/share/ssl/certs directory, and type in the following command:Step3 :- make certreq
Your system displays the following output and asks you for your passphrase (unless you disabled the passphrase option):
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key
-out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase:
Type in the passphrase that you chose when you were generating your key. Your system displays some instructions and then ask for a series of responses from you. Your inputs are incorporated into the certificate request. The display, with example responses, looks similar to the following:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:India
State or Province Name (full name) [Berkshire]:Hyd
Locality Name (eg, city) [Newbury]:Cloud Network
Organization Name (eg, company) [My Company Ltd]:Test Company
Organizational Unit Name (eg, section) []:Testing
Common Name (your name or server's hostname) []:test.example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Ggenerating a Key
You must be root to generate a key.
First, cd to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
Step4 :- rm ssl.key/server.key
Step5 :- rm ssl.crt/server.crt
Next, you need to create your own random key. Change to the /usr/share/ssl/certs/ directory, and type in the following command:
Step6 :- make genkey
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
First, cd to the /etc/httpd/conf/ directory. Remove the fake key and certificate that were generated during the installation with the following commands:
Step4 :- rm ssl.key/server.key
Step5 :- rm ssl.crt/server.crt
Next, you need to create your own random key. Change to the /usr/share/ssl/certs/ directory, and type in the following command:
Step6 :- make genkey
Your system displays a message similar to the following:
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................++++++
e is 65537 (0x10001)
Enter pass phrase:
